Vdoo Comments on the FDA DRAFT Guidance

Brian Russell  January 21, 2019

Vdoo Experts Provide Comments on Food and Drug Administration (FDA) Draft Premarket Submissions for Management of Cybersecurity in Medical Devices

Vdoo was pleased to provide comments on the FDA DRAFT Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This is an important effort and we applaud the FDA for proactively updating the existing guidance to keep pace with the rapid technological change of connected medical devices. As a cybersecurity company with a mission to enable the secure design and development of IoT devices, our overall view of this guidance is very positive. We provided comments with the hope of sharing our experience to bolster an already well-formed set of recommendations.

The FDA Guidance will provide a valuable tool for identifying a set of baseline controls to apply to connected medical device design. Vdoo suggested additional guidance focused on the need to adopt a secure development lifecycle (SDL). From experience, the adoption of an SDL is a critical aspect of ensuring that a device is developed securely. Our recommendations included the addition of a section within the document that describes the controls to put in place by device manufacturers to establish an SDL. This includes processes to generate and track security requirements derived from controls in this FDA guidance document, from applicable Security Technical Implementation Guides (STIGs), from best practice industry guidance and from other sources.

Additionally, we recommended including process requirements such as establishing secure coding practices and conducting peer reviews on code. We also recommended the addition of controls focused on security analysis of software and firmware, ideally using automated firmware analysis which can be integrated directly into the developers’ Continuous Integration (CI) environment. Tools such as Vdoo’s Vision™ Autonomous Security Analysis platform can play a critical role in the secure design process through feedback loops that identify design flaws and then create appropriate requirements/user stories that then impact the security design of the device.

Recommendations and evaluations for secure development processes within the context of secure design are commonplace within government. Common Criteria, for example, include a focus on the process itself used to design and develop technology. From a process perspective, we recommended borrowing from the defense industry. For development of “high assurance” devices, there is highly collaborative process that developers and the Government conduct at the onset and during the development of new products. This process involves the tailoring of a “Security Requirements Traceability Matrix (SRTM). The SRTM is pre-loaded with technical security controls that can be applied to any development. The vendor team tailors these controls to their specific device based on the unique characteristics and operating environment of that device. This allows a master set of controls (the baseline) to be used as the starting point for any device development, providing vendors that may not have a good understanding of where to start with the low-level details they need to design security in from the beginning. The controls listed in this draft FDA Guidance would make a good starting point to expand into a medical device SRTM that could then be used and tailored by all vendors. The process of tailoring would be a negotiation between the government and manufacturer where the government ensures the vendor is not removing controls that should actually apply to the stated environment and device characteristics.

Vdoo also provided a set of detailed line-by-line recommendations based on our thorough review of the draft document. These recommendations included: * Adding specificity to the recommended secure design controls used by device manufacturers * The inclusion of a standardized threat management approach to include threat modeling activities for each product * Discussing privacy requirements in the context of this cybersecurity guidance instead of having two separate documents that medical device manufacturers will need to adjudicate
* Adding options for various tamper-resistance technologies * Adding controls to disable test ports (UART, JTAG) prior to shipment * Adding controls to implement hardware-protected storage for key material whenever feasible, and to generate cryptographic keys on-device as a best practice * Including guidance detailing how a device should “fail safe”. Manufacturers would proactively determine how their products should behave during a failure.

These recommendations are meant to enhance an already well-crafted document. We encourage medical device vendors to review the draft and begin to take actions to bolster their cybersecurity programs.

About Vdoo

Vdoo is a mission-driven company established to change the face of IoT security, and aims to become the Security Authority (SA) for connected-devices. Having created a device-focused security framework, Vdoo enables the cyber-security implementation and certification of IoT devices. By providing an end-to-end platform that can examine the device’s components and attributes, as well as identify the device's existing and missing security measures, we enable a smoother, easier pre-release security implementation process for IoT makers, based on the gap analysis results. Upon successful implementation of security measures, we certify the device, providing users and makers with peace of mind, and supporting the global move to IoT. Together with the establishment of a complete framework that includes not only the technologies themselves, but also a community that can alert, guide and offer solutions, this will set the tone for the entire industry.

Share this post
Brian Russell-Security Advisor

Brian Russell

Security Advisor

Brian Russell is a security advisor at Vdoo. He is the Chair of the Cloud Security Alliance (CSA) IoT Working Group, author of the book Practical IoT Security and an adjunct professor at the University of San Diego (USD). Brian has 20 years of experience providing information security engineering and leadership. He has provided technical leadership for the creation of cryptographic key management systems for the Department of Defense and the modernization of cryptographic systems for the U.S. Navy.

Our latest updates